While working on issues Smartcard authentication, a common request we receive in Tech -support is - how can we do Single Sign-on work with Smartcard for Windows 7 The Vista clients? With support 'Full Kerberos it works for customers joined to a domain. I recently was working in my laboratory to simulate the behavior and use "Constrained Kerberos delegation" to configure the behavior Passthough for non-domain joined machines using the authentication point as "the web server."
Environment
Windows 08 domain R2
XenApp 6.0 + HF 86 - single server working as XML Broker, app hosting, etc.
Web Interface 5.4
ICA Client 12.1 on Windows 7 machines
Gemalto .NET card
Configuration - (first the easiest one)
1. on XenApp server
Check the registry settings to take effect by going to HKEY_LOCAL_MACHINE SOFTWARE Policies Citrix IMA XML Service and HKEY_LOCAL_MACHINE SOFTWARE Policies Citrix IMA Citrix XML service. Note Run GPUPDATE / FORCE from the command prompt if the policies are not register
2. Web Interface
A. SSL (https)
B. Create a website with a point authentication as "A Web server
C. Open IIS Manager > select the name of your server and ensure that you have Active Directory Certificate Authentication customer license
D. Open IIS Manager , go to sites > Site Web by default > Citrix >
E. Set SSL settings to Citrix virtual directory IIS
3 . Du domain controller - This is the main: -
- Go to Active Directory Users and Computers
- Go to the Web Interface server properties> delegation tab and the following entries
- "trust this computer for delegation to specified services only"
- "Use any authentication protocol"
- Add HTTP Service on the XML broker server
3. Access the properties of the> Delegation tab XenApp broker / XML and the following entries
1. "Trust this computer for delegation to specified services only "
2. " Use any authentication protocol "
3. Add CIFS > each domain controller (s)
4. Add HOST > the XenApp server (s) hosting apps
5. Add LDAP > each domain controller (s)
4. on the client machine - Add Site WI trusted Site "and enable authentication Automatic logon with current username and password '. This will make IE to prompt for credentials and if you have inserted your SmartCard, you ask PIN
Note -. Ensure you have XenApp 6.0 w / XML shared with IIS. Also, make sure to use "constrained delegation" . If you select "Unconstrained" - Trust this computer for delegation to any service (Kerberos only) , you will not be able to authenticate to WI / IIS server. network trace may help to solve any problem.
Many of our clients look in Kerberos delegation as an alternative method of authentication for Citrix XenApp. An authentication system based on Kerberos offers several key benefits of security while excess logon speed for increased user satisfaction. This is especially true for smart card users, because it reduces the number of times the user certificate must be validated with the CA, thus reducing the number of pins prompts. There are certain things to look for when designing your environment for Kerberos authentication:
- Every single network service from all your applications and agents should be defined as Kerberos delegation AD. There is no way to enable Kerberos for "all services."
- Kerberos is not recommended for XenApp published desktops as a user can potentially open network resources that the environment has not been set up with the delegations midwives thus locking their account.
Documentation exists that talk about the implementation of the Kerberos delegation with clients in a domain. The above steps focus on how to configure Kerberos with XenApp for operation with non-domain joined clients.
0 Komentar